The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2018-1270 | Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. | HIGH | Apr 10, 2018 |
| CVE-2018-1273 | Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack. | HIGH | Apr 11, 2018 |
| CVE-2018-1275 | Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework. | HIGH | Apr 11, 2018 |
| CVE-2018-1282 | This vulnerability in Apache Hive JDBC driver 0.7.1 to 2.3.2 allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement implementation. | HIGH | Apr 5, 2018 |
| CVE-2018-1295 | In Apache Ignite 2.3 or earlier, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a specially prepared form of a serialized object to one of the deserialization endpoints of some Ignite components - discovery SPI, Ignite persistence, Memcached endpoint, socket steamer. | HIGH | Apr 10, 2018 |
| CVE-2018-1469 | IBM API Connect Developer Portal 5.0.0.0 through 5.0.8.2 could allow an unauthenticated attacker to execute system commands using specially crafted HTTP requests. IBM X-Force ID: 140605. | HIGH | Apr 4, 2018 |
| CVE-2018-2404 | SAP Disclosure Management 10.1 allows an attacker to upload any file without proper file format validation. | HIGH | Apr 10, 2018 |
| CVE-2018-2408 | Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. In case of password change for a user, all other active sessions created using older password continues to be active. | HIGH | Apr 10, 2018 |
| CVE-2018-3589 | In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile MDM9650, MDM9655, SD 835, SD 845, SD 850, the vswr capture size is larger than the maximum size of a diag logPacket, which can lead to a buffer overflow when the sample buffer is copied to the logPacket buffer. | HIGH | Apr 12, 2018 |
| CVE-2018-3590 | In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MSM8909W, SD 210/SD 212/SD 205, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 835, SD 845, a Use After Free condition can occur in RIL while handling requests from Android. | HIGH | Apr 12, 2018 |
| CVE-2018-3591 | In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9635M, MDM9650, MDM9655, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 835, SD 845, SDM630, SDM636, SDM660, Snapdragon_High_Med_2016, the default build configuration of deviceprogrammer in BOOT.BF.3.0 enables the flag SKIP_SECBOOT_CHECK_NOT_RECOMMENDED_BY_QUALCOMM which will open up the peek and poke commands to any memory location on the target. | HIGH | Apr 12, 2018 |
| CVE-2018-3592 | In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 820, SD 835, SD 845, SD 850, added a change to check if the pointer has been reset to NULL or not, before writing to the memory pointed by the pointer. | HIGH | Apr 12, 2018 |
| CVE-2018-3593 | In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, MDM9607, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 820A, SD 835, SD 845, repeated enable/disable eMBMS requests may result in a double free condition. | HIGH | Apr 12, 2018 |
| CVE-2018-3594 | In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 820, SD 820A, SD 835, SD 845, while parsing a private frame in an ID3 tag, a buffer over-read can occur when comparing frame data with predefined owner identifier strings. | HIGH | Apr 12, 2018 |
| CVE-2018-3596 | In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, legacy code vulnerable after migration has been removed. | HIGH | Apr 3, 2018 |
| CVE-2018-3599 | In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, while notifying a DCI client, a Use After Free condition can occur. | HIGH | Apr 3, 2018 |
| CVE-2018-3638 | Escalation of privilege in all versions of the Intel Remote Keyboard allows an authorized local attacker to execute arbitrary code as a privileged user. | HIGH | Apr 3, 2018 |
| CVE-2018-3641 | Escalation of privilege in all versions of the Intel Remote Keyboard allows a network attacker to inject keystrokes as a local user. | HIGH | Apr 3, 2018 |
| CVE-2018-4082 | An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the Kernel component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | HIGH | Apr 3, 2018 |
| CVE-2018-4083 | An issue was discovered in certain Apple products. macOS before 10.13.3 is affected. The issue involves the Touch Bar Support component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | HIGH | Apr 3, 2018 |
| CVE-2018-4087 | An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the Core Bluetooth component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | HIGH | Apr 3, 2018 |
| CVE-2018-4091 | An issue was discovered in certain Apple products. macOS before 10.13.3 is affected. The issue involves the Sandbox component. It allows bypass of a sandbox protection mechanism. | HIGH | Apr 3, 2018 |
| CVE-2018-4095 | An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the Core Bluetooth component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | HIGH | Apr 3, 2018 |
| CVE-2018-4097 | An issue was discovered in certain Apple products. macOS before 10.13.3 is affected. The issue involves the Kernel component. It allows attackers to execute arbitrary code in a privileged context via a crafted app. | HIGH | Apr 3, 2018 |
| CVE-2018-4098 | An issue was discovered in certain Apple products. macOS before 10.13.3 is affected. The issue involves the IOHIDFamily component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | HIGH | Apr 3, 2018 |
| CVE-2018-4105 | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the APFS component. It allows attackers to trigger truncation of an APFS volume password via an unspecified injection. | HIGH | Apr 3, 2018 |
| CVE-2018-4108 | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the Disk Management component. It allows attackers to trigger truncation of an APFS volume password via an unspecified injection. | HIGH | Apr 3, 2018 |
| CVE-2018-4109 | An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the Graphics Driver component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | HIGH | Apr 3, 2018 |
| CVE-2018-4110 | An issue was discovered in certain Apple products. iOS before 11.3 is affected. The issue involves the Web App component. It allows remote attackers to bypass intended restrictions on cookie persistence. | HIGH | Apr 3, 2018 |
| CVE-2018-4115 | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves CFPreferences in the System Preferences component. It allows attackers to bypass intended access restrictions by leveraging incorrect configuration-profile persistence. | HIGH | Apr 3, 2018 |
| CVE-2018-4124 | An issue was discovered in certain Apple products. iOS before 11.2.6 is affected. macOS before 10.13.3 Supplemental Update is affected. tvOS before 11.2.6 is affected. watchOS before 4.2.3 is affected. The issue involves the CoreText component. It allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via a crafted string containing a certain Telugu character. | HIGH | Apr 3, 2018 |
| CVE-2018-4132 | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the Intel Graphics Driver component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | HIGH | Apr 3, 2018 |
| CVE-2018-4135 | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the IOFireWireFamily component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | HIGH | Apr 3, 2018 |
| CVE-2018-4136 | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the Kernel component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (out-of-bounds read) via a crafted app. | HIGH | Apr 3, 2018 |
| CVE-2018-4139 | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the kext tools component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | HIGH | Apr 3, 2018 |
| CVE-2018-4140 | An issue was discovered in certain Apple products. iOS before 11.3 is affected. The issue involves the Telephony component. It allows remote attackers to cause a denial of service (NULL pointer dereference and reboot) via a Class 0 SMS message. | HIGH | Apr 3, 2018 |
| CVE-2018-4143 | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the Kernel component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | HIGH | Apr 3, 2018 |
| CVE-2018-4144 | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the Security component. A buffer overflow allows attackers to execute arbitrary code in a privileged context via a crafted app. | HIGH | Apr 3, 2018 |
| CVE-2018-4148 | An issue was discovered in certain Apple products. iOS before 11.3 is affected. The issue involves the Telephony component. A buffer overflow allows remote attackers to execute arbitrary code. | HIGH | Apr 3, 2018 |
| CVE-2018-4150 | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the Kernel component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | HIGH | Apr 3, 2018 |
| CVE-2018-4151 | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. The issue involves the iCloud Drive component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app. | HIGH | Apr 4, 2018 |
| CVE-2018-4152 | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the Notes component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app. | HIGH | Apr 3, 2018 |
| CVE-2018-4154 | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. The issue involves the Storage component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app. | HIGH | Apr 4, 2018 |
| CVE-2018-4155 | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the CoreFoundation component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app. | HIGH | Apr 3, 2018 |
| CVE-2018-4156 | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. The issue involves the PluginKit component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app. | HIGH | Apr 4, 2018 |
| CVE-2018-4157 | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the Quick Look component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app. | HIGH | Apr 3, 2018 |
| CVE-2018-4158 | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. watchOS before 4.3 is affected. The issue involves the CoreFoundation component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app. | HIGH | Apr 4, 2018 |
| CVE-2018-4160 | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the Kernel component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (out-of-bounds read) via a crafted app. | HIGH | Apr 3, 2018 |
| CVE-2018-4164 | An issue was discovered in certain Apple products. Xcode before 9.3 is affected. The issue, which is unspecified, involves the LLVM component. | HIGH | Apr 3, 2018 |
| CVE-2018-4166 | An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the NSURLSession component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app. | HIGH | Apr 3, 2018 |
